Many Authoritative nameservers today return different replies based
on the perceived topological location of the user. These servers use
the IP address of the incoming query to identify that location.
Since most queries come from intermediate recursive resolvers, the
source address is that of the recursive rather than of the query
originator.
Traditionally and probably still in the majority of instances,
recursive resolvers are reasonably close in the topological sense to
the stub resolvers or forwarders that are the source of queries. For
these resolvers, using their own IP address is sufficient for
authority servers that tailor responses based upon location of the
querier.
Increasingly though a class of remote recursive servers has arisen
that serves query sources without regard to topology. The motivation
for a query source to use a remote recursive server varies but is
usually because of some enhanced experience, such as greater cache
security or applying policies regarding where users may connect.
(Although political censorship usually comes to mind here, the same
actions may be used by a parent when setting controls on where a
minor may connect.) When using a remote recursive server, there can
no longer be any assumption of close proximity between the originator
and the recursive, leading to less than optimal replies from the
authority servers.
A similar situation exists within some ISPs where the recursive
servers are topologically distant from some edges of the ISP network,
resulting in less than optimal replies from the authority servers.
This draft defines an EDNS0 option to convey network information that
is relevant to the message but not otherwise included in the
datagram. This will provide the mechanism to carry sufficient
network information about the originator for the authority server to
tailor responses. It also provides for the authority server to
indicate the scope of network addresses that the tailored answer is
intended. This EDNS0 option is intended for those recursive and
authority servers that would benefit from the extension and not for
general purpose deployment. It is completely optional and can safely
be ignored by servers that choose not to implement it or enable it.
This draft also includes guidelines on how to best cache those
results and provides recommendations on when this protocol extension
should be used.

There are several reasons and benefits to using your Mikrotik as a DNS caching server. Queries to the client are just a tad faster, which makes the overall user experience seem snappier. It also allows you to quickly change upstream DNS servers in the even of an outage, attack, etc.

There are two main avenues to think about when protecting Mikrotik from DNS.

The first is the incoming port 53 requests to the router. You only want your customers to have access to query the Mikrotik. In a simple scenario we have this:.

ether1 is our upstream ISP connection. Customers are other ports. In this case if we want to block all port 53 requests from the outside world we specify the WAN interface to drop in the following code:

This will still allow your Mikrotik to send out DNS queries because they are sourced from a non reserved port. We are simply blocking the Mikrotik from not answering port 53 requests on the external interface.

In a later post we will talk about what to do if you have multiple wan interfaces or multiple exit paths on your router (say running OSPF)

I was recently asked what some of our most popular services we offer to clients are. The following are the top ones that come to mind

1.Converting bridged networks to routed
2.Remote Monitoring from our Data Centers. This allows a client to be notified in case they lose connectivity to the outside world.
3.Backend automation. Implementing radius, monitoring links, and other things to give the ISP more information
4.Data Center services such as DNS hosting, circuit termination, and bandwidth.
5.Mikrotik configuration and support